Researchers have found a way to wiggle their way between two endpoints communicating via Bluetooth, giving them the opportunity to mount device impersonation or man-in-the-middle (MitM) attacks.
The technique was discovered by cybersecurity researchers at Eurecom, BleepingComputer reports. They found two flaws that can compromise the secrecy of a Bluetooth session, and six possible attack scenarios, which they dubbed “BLUFFS”.
The flaws are now tracked as CVE-2023-24023, and affect Bluetooth Core Specification from version 4.2 onward. They affect Bluetooth “at a fundamental level”, the publication explains.
Billions of vulnerable devices
The vulnerabilities work because of the way Bluetooth derives session keys which decrypt data in exchange. By affecting the derivation process, the attackers can force Bluetooth to derive a short session key, which can subsequently be brute-forced. That allows the attackers to eavesdrop on any communication between the two endpoints.
The challenge here is that the attacker needs to be within Bluetooth range of the two targets in order to pull the attack off. That being said, there are six different attacks that can be mounted abusing the flaw, including different MitM attacks, the researchers said. They also developed a toolkit to demonstrate just how effective BLUFFS are, and shared it on GitHub.
Finally, the researchers came up with a couple of modifications to the Bluetooth standard that would tackle BLUFFS and similar threats, and include enhancement to the session key derivation process. The modifications are backward-compatible, they added. The list of mitigations can be found here.
Bluetooth has been around for years and is considered a safe, well-established standard for wireless communication. Therefore, such a vulnerability could be abused to compromise billions of devices around the world, including laptops, smartphones, different internet-connected sensors, and more.
Eurecom tested the flaws on different endpoints and found that all of them were vulnerable to at least three out of six BLUFFS attacks.
